CVE-2025-66916CRITICAL 9.4EPSS p45.3%

CVE-2025-66916CVE-2025-66916

Description

The snailjob component in RuoYi-Vue-Plus versions 5.5.1 and earlier, interface /snail-job/workflow/check-node-expression can execute QLExpress expressions, but it does not filter user input, allowing attackers to use the File class to perform arbitrary file reading and writing.

Scoring

CVSS 3.19.4 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS0.63% probability of exploitation · percentile 45.3% · 2026-06-18T12:00:27Z
Published2026-01-08
Last modified2026-01-30

Underlying weaknesses· 1

CWE-94

References

  1. https://gist.github.com/Catherines77/e3f06b9c4cc6298579e858088a243c3d
  2. https://gitee.com/dromara/RuoYi-Vue-Plus
  3. https://github.com/Catherines77/code-au/blob/main/ruoyi-vue-plus/QLExpress.md

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-2622
CVE
CVE-2025-2708
CVE
CVE-2025-10988
CVE
CVE-2025-6925
CVE
CVE-2025-41735
CVE
CVE-2026-21628
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.